IBM Security SOAR (Resilient)
Getting Started with IBM Security SOAR (formerly Resilient)
The total time required to complete this roadmap is 5h 9m.
Overview and install
On-premises setup
User management and authentication
Common use cases
Badges and Certifications
IBM Security SOAR Application Administrator/Saas Administrator (Master Administrator)
The total time required to complete this roadmap is 2h 18m.
Managing users
Authentication
Setting up the ORG
Workspaces
Playbook Designer/ Developer
The total time required to complete this roadmap is 9h 28m.
Foundations of Design
Automation and Integrations
Security Analyst
The total time required to complete this roadmap is 48m.
IBM Security SOAR Security Foundations
IBM Security SOAR Dashboards and Reporting
Artifacts and Threat Feeds
Privacy Officer
The total time required to complete this roadmap is 37m.
IBM Security SOAR Privacy Foundations
IBM Security SOAR System Administrator (OVA Administrator)
The total time required to complete this roadmap is 2h 35m.
Installation
Configuration
Logging and troubleshooting
Authentication
Backup and DR
Experts from the IBM Resilient and QRadar Support teams show the SOC analyst how to safely and effectively troubleshoot their Resilient integration with QRadar when issues arise. This video is a recording of a live Open Mic web seminar originally broadcast
on 29-July-2020.
Agenda:
- How to enable debug and retrieve logs
- Checking connectivity
- How to read the logs
- Using the IBM QRadar API
- Common errors
- Opening a case, what next?
- Questions for the panel
Duration: 26minutes
Agenda
- Review of resilient-sdk
- App Host for Developers
- Migrating to App Host
- Developing for App Host
- Current Issues
- Resources & References
Duration: 40 minutes
Join the IBM Security Learning Services team for an in-depth tour of the Security Learning Academy, with a focus on IBM Security Resilient SOAR course offerings. During this webinar, you will see how to navigate the platform, search the course catalog, enroll in a course, view your enrollments on your dashboard, create progress reports, and see how Security Learning Academy is integrated with IBM VIP Rewards for Security.
Contents
- Introduction
- Content requirements process
- Tour the IBM Security Learning Academy home page
- Take a deeper look at Resilient courses and course roadmaps
- Your personal dashboard
- Progress reports
- Integration between the Academy and the IBM VIP Rewards for Security program
Duration: 36 minutes
The MITRE ATT&CK Framework is a globally-accessible knowledge base of advisory tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and services community.
This video provides and overview of the MITRE ATT&CK Framework, followed by a discussion of how IBM Resilient and other IBM Security products use MITRE ATT&CK with a live demonstration and a Q&A.
Overview
This course is designed to provide an initial
introduction to Resilient SOAR platform. It will help you
understand how Resilient can be integrated in your environment and
provide the tools to get started. The Resilient SOAR platform provides your security team the
ability to automate case management for security or privacy events and
can be used to automate and document your incident response plans.
Agenda
- Introduction to Resilient and the Resilient SOAR User Interface
- How Resilient Aligns to your Organization
- Installing & Administering Resilient
- Developing Playbooks
- Resources and Support
This video is a recording of the Resilient and QRadar Integration Open Mic web seminar originally broadcast on 17-November-2020.
Agenda
- Part 1: IBM Resilient (SOAR) QRadar Integration App
- Installation
- Configuration (JINJA template)
- AQL Attachment
- Syncing notes and offenses status
- Part 2: QRadar Functions for Resilient
- Installation of the Functions (AppHost)
- Examples and demonstration of functions, workflows, rules, and actions that extract the data from QRadar
- QRadar AQL Search
- Questions & Answers
Overview
- Automate the escalation and collection of data
- Manage a ransomware attack
- Deal with a data breach involving an inside actor
- Accelerate your Response to Phishing Attacks
Overview
You can configure the IBM Security Resilient platform to create new incidents or update existing incidents from incoming email.
In
this course, you learn how to configure the Resilient platform to
connect to an email inbox and create a rule that processes email
messages by using a template with a Python script. As a result of the
script, an incident is created with extracted artifacts form the email
messages (such as IPs and URLs) and an email notification is sent to the
incident owner.
Objectives
- Observe automated email parsing in action
- Configure an inbound email connection
- Customize a sample email script
- Create a rule to trigger the script
- Test the email processing

Overview
This is an IBM-issued and IBM-recognized badge that attests that recipients have demonstrated the knowledge of basic features and functions needed to work with the IBM Security Resilient incident response product. The badge holder can effectively navigate in the Resilient UI, work with users and authentication, administering the organization, and Resilient product administration.
How can I earn this badge?
- This badge is open to all IBM clients, Business Partners and employees.
- Successful completion all courses listed in the Required courses section below.
- Earn 80 percent or higher on the quiz.
Overview
The Resilient platform implements incident responses through the use of dynamic playbooks. A dynamic playbook is the set of rules, conditions, business logic, workflows and tasks used to respond to an incident. The Resilient platform updates the response
automatically as the incident progresses and is modified.
In this course, you learn the Resilient basic concepts, platform architecture, and will review a demonstration of the installation process.
Objectives
- Learn the value of IBM Resilient
- Review the introduction video to the IBM Resilient platform
- Learn the IBM Resilient Platform architecture
- Learn about necessary prerequisites
- Review the installation process
- Describe the value of dynamic playbooks
Overview
- Configuring SSL/TSL certificates
- Importing the Resilient License Key
- Updating the Resilient Appliance Software
- Installing optional packages
- Setting the time zoneSMTP Email configuration
Overview
This course is designed to provide an initial introduction to Resilient Incident Response Program. It will help you understand how Resilient can be integrated in your environment and provide the tools to get started.
Agenda
- Introduction to Resilient
- How Resilient Aligns to your Organization
- Installing & Administering Resilient
- Developing Playbooks
- Resources and Support
Overview
Closed captions: English, French, German, Spanish and Japanese
Overview
This course demonstrates how to manage logs in the IBM Resilient appliance. This includes how to configure logging, audit logging and syslog.
Agenda
- 1. Log configuration
- 2. Configuring audit logs
- 3. Configuring syslog
Duration: 8 minutes
Closed captions: English, French, German, Spanish and Japanese
Overview
This course covers aspects of managing users and groups in IBM Resilient such as creating users using the Resilient user-interface or by using terminal commands and how to reassign incidents and tasks to a different user.
Agenda
- Creating a user using using the UI
- Creating a user using terminal commands
- Reassigning incidents and tasks
- Enabling LDAP authentication
- Enabling LDAP users in groups and deleting LDAP users
In the fourth and final session of the Resilient Developer's Corner series, learn how to publish your integration to the App Exchange. This talk will walk through the steps to complete your integration and submit it for publication on the App Exchange. It will include how to follow the validation process and what steps to take to ensure successful validation.
Join
Mark Scherfling, Resilient Engineering Manager, for this technical
webinar and an in-depth look at the inner-workings of the Resilient SOAR
Platform and integrations.
Agenda
- Introduction
- Why publish?
- Requirements checklist
- Files to change
- Additional tools
- Submission prep
- Submission demonstration
- Validation process
- References
Duration: 26 minutes
Learn about the newest integration and how it can be leveraged in your environment. Utilize data in Resilient the way you want to by leveraging the newly released Data Feeder extension. This extension allows you to maintain “replica” data of a Resilient system for the purposes of reporting. It also allows enhanced accessibility of your data by allowing you to run business intelligence (BI) queries from other tools.
Join Ray Suarez, Product Manager for Resilient, in this month’s update to learn about one of our newest integrations.
Agenda
- Introduction
- The need for SOAR data
- Resilient & Data Feeder Integration
- Resilient Data Storage Overview
- app.config Configuration File
- Specify Incident Range
- A Tour of the App Exchange
- Resilient Actions Demonstration
- Review of the Resilient integrations
- Questions and answers
Duration: 19 minutes
This is the first session of the multi-part Resilient Developer's
Corner series. As additional parts are published, links will be added to
the Quick references section below.
Learn how to start writing an integration and how to use the template files auto-generated from Resilient functions.
Agenda
- Introduction
- Future recordings in this series
- Requirements
- Integration Taxonomy
- Integration Environment
- Demonstration using Resilient Console
- Customization settings
- Message Destinations
- Functions
- Rules
- Using codegen to automate the generation of Python integration code
- Detailed example of building out an integration in Python
Duration: 30 minutes
In the second session of the Resilient Developer's Corner series, learn about the best ways to define and include your integrations Rules and Workflows in your integration package.
Agenda
- Rules
- Activity Fields
- Conditions
- Workflows
- Properties
- Branching
- Workflow Status
- Action Status
Duration: 26 minutes
- Learn how to start writing an integration and how to use the template files auto-generated from Resilient functions.
- Learn about the best ways to define and include your integrations Rules and Workflows in your integration package.
- Learn how to use resilient-lib python library, which contains
convenient functions for common integration development requirements, to speed up integration development.
- Learn how to publish your integration to the App Exchange, complete your integration, and submit it for publication on the App Exchange.
- Learn how to follow the validation process and what steps to take to ensure successful validation.
Agenda
- Resilient Integration First Steps (30 min)
- Rules and Workflows (26 min)
- Speed Integration Development with resilient-lib (18 min)
- Publishing to the App Exchange (26 min)
In this course, you learn how to use the Resilient platform to track time that is spent on incident field values and you see examples of graphing incidents over time.
The tutorial shows you how to configure the Resilient platform to track time changes to incident field values.
You can configure the Resilient platform to track time for incident fields for select and boolean field types, for both custom and default fields. This enables you to track the time you take to perform various tasks, activities, and processes when you respond to an incident.
Agenda
- Tracking time spent on incident field values
- Creating custom graphs in the Resilient application
- Tutorial: Time tracking incident field states
- Step 1: Edit Incident field
- Step 2: Tracking a custom field
- Step 3: Adding time tracking data to a custom tab
- Step 4: Creating a time tracking custom graph
This video demonstrates when and how to use rules and workflows configuration objects in Resilient to implement dynamic incident response playbooks.
Agenda
- Introduction
- When to use rules
- When to use workflows
- Summary
Duration: 11 minutes
Overview
This
course reviews key issues in managing security in IBM Resilient. Topics
cover a broad range of issues such as how to defang a URL, change
ciphers and protocols, how to work with keyvaults, keystores and secrets
as well as how to encrypt and backup the keyvault password.
Agenda
- Defanging URLs
- This video demonstrates how to "defang" your URLs in IBM Resilient to
help assure users do not inadvertently click on malicious links.
- Changing Ciphers and Protocols in IBM Resilient
- This video demonstrates how to change the ciphers and protocol in IBM
Resilient. There is a review of which ciphers and protocols are used by
default using the nmap application, followed by a demonstration of which
files need to be edited in order to adjust the ciphers and protocols
being used.
- Keyvaults, Keystores and Secrets
- This video discusses keyvaults, keystores and secrets within IBM Resilient.
- Encrypting the keyvault password
- This video describes how to encrypt a keyvault password in IBM Resilient. The keyvault password is stored as an unencrypted file by default but can be encrypted using gpg to protect it and decrypted whenever needed.
- Backing up the keyvault
- The keyvault stores all passwords used within IBM Resilient. If the
keyvault were lost, it would result in a considerable loss of data. For
that reason, the Resilient platform runs a backup of keyvault files to
the system database anytime passwords are
added or removed and after each system upgrade. This video shows how
to use the resutil keyvaultrestore command to restore keyvault files from the system database.
Duration: 19 minutes
Closed captions: English, French, German, Spanish and Japanese
This video demonstrates how Resilient Task Helper Functions can help clean and consolidate notes to improve visibility into completed tasks and ultimately cut down the time to respond for your security team.
Agenda
- Introduction
- Cleaning up your results
- Live Demonstration
- Automation
- Workflows & Artifacts
- Phases and Tasks
- Attachments
- Task Helper Functions
- Workflow execution at the task level
- Q&A
Duration: 29 minutes
Overview
This course covers several alternative mechanisms for authenticating users in the IBM Resilient product, including LDAP, SAML and two-factor authentication.
Agenda
- LDAP authentication
- SAML authentication configuration
- Two-factor authentication
Duration: 22 minutes
Closed captions: English, French, German, Spanish and Japanese
The Federal Trade Commission
(FTC) is the primary federal data security regulator in the US. The FTC
has brought numerous data security enforcement actions under Section 5
of the FTC Act for unfair or deceptive trade practices.
The FTC
typically enters into consent decree with violating organizations,
rather than litigating data breach cases. The FTC may seek redress in
the form of civil penalties in some data breach enforcement actions.
When recovering a civil penalty, the FTC must file suit in federal
court. Generally, the FTC will negotiate the terms of a stipulated
judgment with the violating organization prior to filing suit and then
concurrently files its civil complaint and stipulated judgment. In
recent Consent Decrees, the FTC has negotiated language requiring the
violating organization to report any notifiable data breaches and submit
compliance reports with specific criteria to the FTC.
In this
course, you will learn how to use Resilient’s customization features to
develop a framework to comply with the data breach notification
requirements of an FTC consent decree.
Agenda
- Federal Trade Commission (FTC): An Overview
- FTC Enforcement Actions
- Obligations to Report Covered Incidents to the FTC
- Using Resilient
Overview
Overview
- Workspace key concepts
- Create workspace
- Delete workspace
An IBM Security Resilient App Host is a Kubernetes-based container deployment
environment that hosts Resilient app containers. An App Host is paired
to only one Resilient organization; however, a single Resilient
organization can be paired to multiple App Hosts to help organize apps
or access different network zones.
This lab walks you through an App Host installation.
This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The
IBM QRadar SIEM solution helps you monitor and detect security threats.
Based on the QRadar correlation rule engine (CRE), the product can
generate offenses that require the attention of a security analyst.
- The IBM Resilient QRadar Integration app
The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms. - The QRadar Functions for Resilient app
The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.
Some of the topics covered in the lab are:
- Install QRadar app for Resilient
- Configure QRadar app for Resilient
- Customize the Resilient configuration
- Customize the Jinja templates
- Configure Custom Actions and synchronization
- Install QRadar functions for Resilient
- Create table with artifacts by using the QRadar functions
- Create action to search QRadar for file hashes from a log source
- Test the apps integration and customization using the QRadar offenses
IBM Security Resilient can help
you automate and improve your response to Security and Privacy events by
improving your overall time to response, detection, and remediation.
This lab guide is designed to introduce you to the process of writing
your own inbound email parsing scripts to automate the generation of
Incidents, and to install and customize the Outbound Email Function for
IBM Resilient SOAR Platform. The exercises in this lab demonstrate how
you can store all the correspondence in the Notes section of an Incident
to generate a trackable and auditable record of the investigation.
To
generate an incident from an email message, first set up a connection
to a mailbox, then create a simple script, which parses the email into
an incident, assigns a title, and adds some additional information.
Finally, create a rule, which reads the inbox that you configured and
runs the script automatically.
Welcome to the Masters Skills University 2020 Escape Room for Resilient.
It’s check-out time!
You just
completed a 3-day course, and now it’s time to check out of your
hotel and make your way to the lobby to catch your plane home. Make your
way from your room to the lobby to complete the game.
Your
Mission: Starting in your hotel room, answer questions to gain “keys” to
unlock the door and move to the next room. There will be both quiz
questions relating to your courses and trivia questions to help you
navigate through the hotel and to the lobby.
Good luck!
This is a 360-degree presentation. Use your mouse to click and drag to view the environment.
In this session from Virtual Master Skills University 2020, Benoit Rostagni will show you advanced tips, tricks, and best practices for Playbook and Workflow design.
In this session from Virtual Master Skills University 2020, Benoit Rostagni show you advanced tips, tricks, and best practices for Dev, Acceptance, and Production in Resilient.
In this session from Virtual Master Skills University 2020, Gerald Trotman will demonstrate how to install and configure various integrations for different use cases.
In this session from Virtual Master Skills University 2020, Benoit Rostagni will teach you advanced tips, tricks, and best practices for metrics and reporting, including ROI, KPI, and SLA.
In this session from Virtual Master Skills University 2020, Eric Vervoort will demonstrate the steps to performing a Health Check on your Resilient environment.
In this session from Virtual Master Skills University 2020, Michael Lyons will demonstrate the App Host, Resilient's new integration infrastructure that containerizes integrations and brings integration management into the WebUI, reducing the installation and deployment time of applications to minutes.
In this session from Virtual Master Skills University 2020, Chris Neely will show you what's new with the latest release of Resilient.
Overview
You can configure the IBM Security Resilient platform to create new incidents or update existing incidents from incoming email.
In
this course, you learn how to configure the Resilient platform to
connect to an email inbox and create a rule that processes email
messages by using a template with a Python script. As a result of the
script, an incident is created with extracted artifacts form the email
messages (such as IPs and URLs) and an email notification is sent to the
incident owner.
Objectives
- Observe automated email parsing in action
- Configure an inbound email connection
- Customize a sample email script
- Create a rule to trigger the script
- Test the email processing
In this lab, as featured in the 2020 Think Digital Event Experience, you will learn how to create an Ansible Playbook as well as a Resilient Workflow that runs your Ansibile Playbook within the IBM Resilient SOAR ecosystem.
In this session from Virtual Master Skills University 2020, Maurice Williams will explain how to identify and resolve some of the most common troubleshooting topics in Resilient.